Description:
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. IAM provides the infrastructure necessary to control authentication and authorization for your account.
Rationale:
Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are necessary for their work and that once the access key is established on an account, the keys may be in use somewhere in the organization.
Impact:
Reduces unnecessary access to the console.
Default Value:
AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user credentials, you have to determine what type of access they require.
Pre-Requisite:
IAM User
Remediation:
Test Plan:
AWS Console Process
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the left navigation pane select users.
Click on a User where column Password age and Active key age is not set to None
- Click on Security credentials Tab.
Compare the user 'Creation time to the Access Key Created` date.
- For any that match, the key was created during initial user setup.
Using AWS CLI
Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization:
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d |
cut -d, -f1,4,9,11,14,16The output of this command will produce a table similar to the following:
user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_ key_2_active,access_key_2_last_used_date
elise,false,true,2015-04-16T15:14:00+00:00,false,N/A
brandon,true,true,N/A,false,N/A
rakesh,false,false,N/A,false,N/A
helene,false,true,2015-11-18T17:47:00+00:00,false,N/A
paras,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00
anitha,true,true,2016-06-08T11:43:00+00:00,true,N/AImplementation Plan
AWS Console Process
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the left navigation pane select users.
Click on desired user.
Click security credentials
Click on the X (Delete) for keys that were created at the same time as the user profile but have not been used.
Using AWS CLI
The following
delete-access-key
command deletes the specified access key (access key ID and secret access key) for the IAM useraws iam delete-access-key --access-key-id <access-key-id-listed> --user-name <users-name>
Backout Plan:
AWS Console Process
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the left navigation pane select users.
Click on desired user.
Click security credentials
Scroll down in Access keys Click on create access key.
Using AWS CLI
The following
create-access-key
command creates an access key (access key ID and secret access key) for the IAM user.aws iam create-access-key --user-name <users-name>